Group Signature with Deniability: How to Disavow a Signature

Ishida, Ai; Emura, Keita; Hanaoka, Goichiro; Sakai, Yusuke; Tanaka, Keisuke

doi:10.1007/978-3-319-48965-0_14

Cited by 9 publications

(12 citation statements)

References 55 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another interesting functionality of group signatures that we consider in this work is deniability, suggested by Ishida et al [22]. It allows the tracing authority to provide a digital evidence that a given group user did not generate a signature in question.…”

Section: Introductionmentioning

confidence: 99%

“…It allows the tracing authority to provide a digital evidence that a given group user did not generate a signature in question. In [22], Ishida et al discussed various situations in which such functionality helps to protect the privacy of users. For instance, suppose that the entrace/exit control of a building is implemented using a group signature scheme, and the police wants to check whether a suspect was in this building at the time of a crime.…”

Section: Introductionmentioning

confidence: 99%

“…In such situation, deniable group signatures make it possible to prove that the signer of a given signature is not the suspect, while still keeping the signer's identity secret. As shown by Ishida et al [22], the main technical challenge towards realizing the deniability functionality consists of constructing a zero-knowledge proof/argument that a given ciphertext does not decrypt to a particular message. Such a mechanism is non-trivial to real-ize in general, but Ishida et al [22] managed to achieve it from pairing-based assumptions.…”

Section: Introductionmentioning

confidence: 99%

“…As shown by Ishida et al [22], the main technical challenge towards realizing the deniability functionality consists of constructing a zero-knowledge proof/argument that a given ciphertext does not decrypt to a particular message. Such a mechanism is non-trivial to real-ize in general, but Ishida et al [22] managed to achieve it from pairing-based assumptions.…”

Section: Introductionmentioning

confidence: 99%

“…Besides, considering that the journey to partial dynamicity in previous works [27,28] was shown not easy, we ask ourselves an inspiring question: Can we achieve full dynamicity with ease? Furthermore, given that deniability is an attractive and non-trivial functionality [22], can we also realize it with ease in the context of lattice-based group signatures? At the end of the day, it is good to solve an open research question, but it would be even better and more exciting to do this in a simple way.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling

Nguyen

Wang

et al. 2019

Theoretical Computer Science

View full text Add to dashboard Cite

Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), eight other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, most of the existing constructions work only in the static setting where the group population is fixed at the setup phase. The only two exceptions are the schemes by Langlois et al. (PKC 2014) that handles user revocations (but new users cannot join), and by Libert et al. (Asiacrypt 2016) which addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked).In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling

Nguyen

Wang

et al. 2019

Theoretical Computer Science

View full text Add to dashboard Cite

show abstract

It Wasn’t Me!

Park

Sealfon

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Blazy

Derler

Slamanig

et al. 2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

International audienceGroup signatures are an important privacy-enhancing tool that allow to anonymously sign messages on behalf of a group. A recent feature for group signatures is controllable linkability, where a dedicated linking authority (LA) can determine whether two given signatures stem from the same signer without being able to identify the signer(s). Currently the linking authority is fully trusted, which is often not desirable. In this paper, we firstly introduce a generic technique for non-interactive zero-knowledge plaintext equality and inequality proofs. In our setting, the prover is given two ciphertexts and some trapdoor information, but neither has access to the decryption key nor the randomness used to produce the respective ciphertexts. Thus, the prover performs these proofs on unknown plaintexts. Besides a generic technique, we also propose an efficient instantiation that adapts recent results from Blazy et al. (CT-RSA'15), and in particular a combination of Groth-Sahai (GS) proofs (or sigma proofs) and smooth projective hash functions (SPHFs). While this result may be of independent interest, we use it to realize verifiable controllable linkability for group signatures. Here, the LA is required to non-interactively prove whether or not two signatures link (while it is not able to identify the signers). This significantly reduces the required trust in the linking authority. Moreover, we extend the model of group signatures to cover the feature of verifiable controllable linkability

show abstract

Group Signature with Deniability: How to Disavow a Signature

Cited by 9 publications

References 55 publications

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

It Wasn’t Me!

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Contact Info

Product

Resources

About